Earlier this week, 23andMe admitted that an October hack was dramatically worse than the company initially admitted, affecting 6.9 million people, not the 14,000 it first reported. 23andMe followed up with an early Christmas present for users: a terms of service update that funnels disgruntled users into a mass arbitration process instead of a class-action lawsuit. The stolen data includes full names, genetic information, and more, but despite the sensitivity of the information, some consumers responded with a shrug. As one TikTok user commented on a video about the subject, “What are they going to do, to clone me?”
Hackers probably won’t use your DNA information to make you a lab-grown baby brother, but experts agree: this hack is a catastrophe.
“The truth is that none of us fully know the implications of this breach today, only the certainty that it will grow worse over time,” said Albert Fox Cahn, Executive Director of the Surveillance Technology Oversight Project. “The ability to weaponize DNA data will only grow more acute as computers grow more powerful. From our health profiles to our family trees to far subtler details of our biology, this hack could potentially reveal so much.”
According to a 23andMe spokesperson, hackers stole data including people’s names, birth year, relationship labels, family name, and location. An additional 1.4 million people who opted-in to DNA Relatives also “had their Family Tree profile information accessed.” The worst, however, was the genetic info. Not only did hackers steal information about the percentage of DNA users shared with relatives, but 23andMe also leaked ancestry reports and matching DNA segments (specifically where on their chromosomes they and their relatives had matching DNA).
It seems this data is already up for sale. Wired reported in October that a user has advertised stolen 23andMe data on a well-known hacking forum around the time of the data breach. The user published the alleged data of one million users of Jewish Ashkenazi descent and 100,000 Chinese 23andMe users as proof, asking for $1 to $10 per person in the data set.
In general, companies have a legal obligation to protect their customers from data breaches. Under other circumstances, the 23andMe hack could expose the company to lawsuits, but that’s taken care of thanks to an “arbitration clause” in its terms of service which forces you to give up your right to sue. The company published a terms of service update last week (coincidentally, around the time it notified the Securities and Exchange Commission of its hacking debacle) that outlines a new “mass arbitration” process, which means users with the same complaint against 23andMe won’t be able to seek restitution individually.
“The new TOS include a mass arbitration provision which allows for more efficient resolution of disputes,” a 23andMe spokesperson told Gizmodo. The company did not respond to other questions related to this article.
Users can opt out of the new arbitration provision by emailing [email protected] by January 4.
For many, it’s hard to grasp exactly why it matters that all this data is floating around on the internet. Hacks and breaches happen all the time, not to mention the trillions of data points companies like Google and Meta hoover up through more “legitimate” means.
The problem, experts say, is you rarely feel the consequences directly. Your personal information is used in complicated and obscure ways for all kinds of purposes behind closed doors. It has dramatic effects on your life, you just never know what data is responsible for any particular dilemma.
“Zooming out to the larger system of commercial profiling, it really does impact opportunity loss sometimes,” Suzanne Bernstein, a law fellow at the Electronic Privacy Information Center, told Gizmodo. “The data that’s collected from you determines what you are or aren’t offered. That can be something innocuous like which target ads you see or what email blasts you get, but it also enables discrimination.”
In the past, consumer data has been used to exclude certain demographics from job opportunities or vacant apartments. The personal information flying around the internet gets used in hiring decisions and credit applications, insurance companies even use it to set premiums. And, of course, the more detailed information criminals can dig up, the more likely you are to fall victim to identity theft.
Genetic information might seem disconnected from these problems, but it’s not.
You can’t change your genetic information, so it’s sensitive in and of itself, Bernstein said. “But it can also be used to make inferences about other health information, such as a diagnosis or medical family history,” she said. “There’s a serious risk of that becoming part of the profiling that happens in the broader ecosystem.”
And that only factors in the ways that we know DNA information can be used today. Gene science is a rapidly developing field. There’s no telling what this information could reveal in the future.
“Privacy and surveillance are heavily contextual, and as new genetic analysis, targeting, and surveillance technologies are developed, the context around genetic data privacy and surveillance will greatly change in ways that many people now cannot foresee,” said Justin Sherman a Senior Fellow at Duke’s Sanford School of Public Policy, and founder of Global Cyber Strategies.
23andMe stopped short of abdicating its responsibility altogether, but its public statements on the hack have an air of victim blaming. A spokesperson said the data breach resulted from people recycling passwords they had used on other accounts. Apparently, hackers used passwords that leaked elsewhere to break into 14,000 people’s accounts, a dead simple security breach known as credential stuffing.
Because 23andMe is designed as a data harvesting panopticon that pressures customers to share their data with everyone from other users to the company’s partners in the pharmaceutical industry, the hackers were able to use these 14,000 compromised accounts to steal information about millions of other people on the platform.
Reusing passwords is asking for trouble, but security professionals understand that bad password practices are a guarantee. According to experts, the 23andMe hack was easily preventable.
If nothing else, “It’s unacceptable that 23andMe neglected to require two-factor authentication (2FA) for account access,” said Patrick Jackson, Chief Technology Officer at Disconnect, a digital security company. “Attackers often target sites with sensitive data, like 23andMe, especially those without required 2FA, making them vulnerable to credential stuffing attacks.”
Correction: A previous version of this article incorrectly stated that 23andMe introduced binding arbitration to its terms of service. In fact, it amended the existing policy to include mass arbitration. Additionally, this article stated that customers have until December 30 to opt out; the correct date is January 4.